JP6913206B2 - Log analysis method and log priority table management method - Google Patents

Description

The present invention relates to a log analysis method and a log priority table management method.

In recent years, with the networking of in-vehicle devices and the like, the need for appropriate security has increased in the field of in-vehicle device systems as well. With respect to such security technology for in-vehicle devices, it is widely known that a server on a network grasps the status of the in-vehicle device and the server detects an abnormality in the in-vehicle device. Patent Document 1 discloses a device capable of transmitting moving body information such as position information from a moving body such as a vehicle by an appropriate method according to a situation.

Japanese Unexamined Patent Publication No. 2005-12441

In the abnormality detection of the in-vehicle device using the server as described above, the server can detect various abnormalities generated in the in-vehicle device by collecting a large amount of detailed information as a log in the in-vehicle device and transmitting it to the server. However, in-vehicle devices generally have scarce resources due to restrictions on installation space and the like, and the amount of information that can be collected is limited. Therefore, it is necessary to collect appropriate logs according to the situation of the in-vehicle device, but this cannot be done by the invention described in Patent Document 1.

The log analysis method according to the first aspect of the present invention is a log analysis method in a server device which is connected to a plurality of in-vehicle devices mounted on a vehicle by a network and receives and analyzes logs accumulated in the in-vehicle device. When it is determined that the first step of analyzing the logs received from the plurality of in-vehicle devices and determining the possibility of an attack occurring in each in-vehicle device and the possibility of an attack occurring in the first step. The in-vehicle device accumulates in the second step of determining the in-vehicle device for which the temporary log is to be collected among the plurality of in-vehicle devices and the in-vehicle device for which the temporary log is collected in the second step. From the third step of transmitting the log priority table change request message requesting the change of the log priority table indicating the log priority and the in-vehicle device that sent the log priority table change request message in the third step. When the temporary log is received, the fourth step of analyzing the temporary log to determine whether or not an attack has occurred, the case where it is determined that an attack has occurred in the fourth step, and the log in the third step. It has a fifth step of notifying the occurrence of an attack when the temporary log is not received within a predetermined time from the in-vehicle device that has transmitted the priority table change request message.
The log priority table management method according to the second aspect of the present invention is a log priority table management method in an in-vehicle device connected to a server device that performs the log analysis method according to the first aspect by a network, and is the server device. The sixth step of receiving the log priority table change request message from, and the seventh step of updating the log priority table stored in the in-vehicle device according to the received log priority table change request message. The log priority table has an eighth step of deleting a record whose valid time has expired for a record indicated to be temporary.

According to the present invention, it is possible to collect appropriate logs according to the situation of the in-vehicle device.

Log collection system configuration diagram Diagram illustrating the configuration of the log priority table Diagram illustrating the configuration of a log table Diagram illustrating the configuration of the temporary log table Flowchart showing the process of acquiring and accumulating logs by an in-vehicle device Flowchart showing a series of processes after the server collects logs Flowchart showing update processing of log priority table by in-vehicle device A flowchart showing a program update process in which an in-vehicle device updates a program that functions as a log collector.

Hereinafter, embodiments of the log collection system will be described with reference to FIGS. 1 to 8.
FIG. 1 is a configuration diagram of a log collection system. The log collection system 1 is composed of a server 10 and an in-vehicle device 30. The server 10 and the vehicle-mounted device 30 are connected via the network 20. Although only one in-vehicle device 30 is shown in FIG. 1, the server 10 is connected to a plurality of in-vehicle devices 30. The plurality of in-vehicle devices 30 connected to the server 10 are mounted on different vehicles. The in-vehicle device 30 can provide various services to the occupants of the vehicle by executing one or a plurality of programs. The program executed in the in-vehicle device 30 is incorporated at the time of shipment of the in-vehicle device 30.

(Server configuration)
The server 10 includes a CPU 100, a memory 110, a server communication unit 120, an input unit 130, and an output unit 140. Hereinafter, a person who operates the input unit 130 of the server 10 is referred to as an "operator".
The CPU 100 executes a program stored in a ROM (not shown), and executes various arithmetic processes for operating the server 10. This program uses the data stored in the memory 110. The CPU 100 functionally includes a log analysis unit 101, a temporary log information creation unit 102, a log priority change instruction unit 103, a log change instruction unit 104, and a service instruction unit 105.

The log analysis unit 101 analyzes the log collected from the in-vehicle device 30, detects the possibility of an attack on the in-vehicle device 30, and detects an attack on the in-vehicle device 30. When the log analysis unit 101 detects the possibility of an attack on the in-vehicle device 30, the temporary log information creation unit 102 rewrites the log table described later and the log priority table described later. The log priority change instruction unit 103 creates a log priority table change request message for notifying the vehicle-mounted device 30 of the log priority table information rewritten by the temporary log information creation unit 102, and transmits the log priority table change request message to the vehicle-mounted device 30. .. The log priority table change request message includes the entire contents of the rewritten log priority table. The log change instruction unit 104 notifies the in-vehicle device 30 of the information of the log table rewritten by the temporary log information creation unit 102. However, as will be described later, since the log table information is included in the program in the present embodiment, the log change instruction unit 104 notifies the vehicle-mounted device 30 of the change of the log table by transmitting the program to the vehicle-mounted device 30. The service instruction unit 105 outputs a service stop instruction to the in-vehicle device 30 when the log analysis unit 101 determines that the service needs to be stopped immediately.

Data is stored in the memory 110. The memory 110 functionally includes a collection log storage unit 111, a log table collection storage unit 112, a log priority table collection storage unit 113, and a temporary log table storage unit 114.
The collection log storage unit 111 stores the logs collected from each in-vehicle device 30.
The log table collection storage unit 112 stores a log table that specifies information to be collected as a log by each in-vehicle device 30. Since the log table is different for each vehicle-mounted device 30, the log table collection / storage unit 112 stores the same number of log tables as the vehicle-mounted device 30 connected to the server 10. However, some vehicle-mounted devices 30 share a log table, and the number of log tables stored in the log table collection / storage unit 112 may be smaller than the number of vehicle-mounted devices 30 connected to the server 10.

The log priority table collection storage unit 113 stores a log priority table indicating the priority of the logs accumulated by each in-vehicle device 30. Since the log priority table is different for each vehicle-mounted device 30, the log priority table collection storage unit 113 stores the same number of log priority tables as the vehicle-mounted device 30 connected to the server 10. However, some in-vehicle devices 30 share the log priority table, and the number of log priority tables stored in the log priority table collection storage unit 113 is smaller than the number of in-vehicle devices 30 connected to the server 10. You may.

The temporary log table storage unit 114 stores a temporary log table that defines logs to be temporarily collected when the log analysis unit 101 detects the possibility of an attack. There is only one temporary log table in this embodiment, and it is commonly used in all the in-vehicle devices 30.
The server communication unit 120 communicates with the in-vehicle device 30 via the network 20.
The input unit 130 detects the operation input from the operator and outputs it to the CPU 100. The input unit 130 is composed of, for example, a mouse, a keyboard, or the like.
The output unit 140 displays a screen and outputs audio according to an instruction from the CPU 100. The output unit 140 is composed of, for example, a display, a speaker, or the like.

(Configuration of in-vehicle device)
The in-vehicle device 30 includes a CPU 150, a memory 160, an in-vehicle communication unit 170, an input unit 180, and an output unit 190. Hereinafter, the person who operates the input unit 180 of the vehicle-mounted device 30 and the occupant of the vehicle on which the vehicle-mounted device 30 is mounted are referred to as "users".
The CPU 150 executes a program (not shown) stored in the memory 160, and executes various arithmetic processes for operating the in-vehicle device 30. This arithmetic processing also includes execution of a program for providing a service to a user. The CPU 150 functionally includes a log collection unit 151, a log priority table management unit 152, a program update unit 153, and a service control unit 154.

The log collecting unit 151 acquires a log for transmission to the server 10 and stores the log in the log storage unit 163. What kind of information the log collecting unit 151 collects as a log is hard-coded in the program. The log priority table management unit 152 updates the log priority table stored in the log priority table storage unit 162 based on the command of the server 10. The program update unit 153 updates the program executed by the CPU 150 to the program stored in the update program storage unit 165. By updating this program, the information collected as a log by the log collection unit 151 is changed. The service control unit 154 controls the provision of the service based on the service start / stop instruction using the input unit 180 by the user and the service stop instruction from the server 10.

The memory 160 functionally includes a log table storage unit 161, a log priority table storage unit 162, a log storage unit 163, an in-vehicle device information storage unit 164, and an update program storage unit 165. However, the log table is included in the above-mentioned program stored in the memory 160. That is, since the log table is stored in the memory 160 in a different form, the log table storage unit 161 is shown by a broken line in FIG.

The log table storage unit 161 stores a log table, which is information indicating the specific contents of the information to be collected as a log. In other words, the information stored in the log table is the information indicating the information to be collected as a log. The log priority table storage unit 162 stores a log priority table, which is information for managing the priority of the accumulated logs. The log acquired by the log collecting unit 151 is accumulated and stored in the log storage unit 163. The in-vehicle device information storage unit 164 stores a device ID that identifies the in-vehicle device. The program received from the server is temporarily stored in the update program storage unit 165.

The vehicle-mounted communication unit 170 communicates with the server 10 via the network 20. When the in-vehicle communication unit 170 transmits the log collected by the log collection unit 151 to the server 10, the in-vehicle communication unit 170 includes the device ID stored in the in-vehicle device information storage unit 164, the time when the log is collected, and the in-vehicle device 30. Position information, that is, latitude and longitude are transmitted together. The position information may be input from another device of the vehicle on which the vehicle-mounted device 30 is mounted, or may include a configuration in which the vehicle-mounted device 30 acquires the position information, for example, a GPS receiver.

The input unit 180 detects an operation input from the user and outputs it to the CPU 100. The input unit 180 includes, for example, keyboard input, touch panel input, and the like. The output unit 190 performs screen display and audio output according to an instruction from the CPU 150. The output unit 190 is composed of, for example, a display, a speaker, or the like.

(service)
The in-vehicle device 30 can provide various services to the user. The service provided by the in-vehicle device 30 can be arbitrarily started and stopped by a user's command. However, as will be described later, the service that receives the stop command from the server 10 is stopped regardless of the user's operation command.

Services include, for example, a navigation service that guides the route to a destination selected by the user, a facility introduction service that introduces recommended spots that exist around the current location or the destination entered by the user, and a notification of when to replace a vehicle part. Maintenance services, traffic jam information services that notify traffic jam information on surrounding roads, etc. Each program that executes these services stores the user's input history in an independent file for the sake of convenience. It is assumed that these files will be accessed only by the programs that run their respective services.

(Log priority table)
FIG. 2 is a diagram illustrating a configuration of a log priority table stored in the log priority table collection storage unit 113 of the server 10 and the log priority table storage unit 162 of the in-vehicle device 30. As will be described in detail later, whether or not to accumulate the collected logs is determined by the priority described in this log priority table. Logs that are not listed in the log priority table are treated as having the lowest priority. Note that FIG. 2 shows an example of a log priority table for one vehicle-mounted device 30 stored in the log priority table storage unit 162 of the vehicle-mounted device 30. Therefore, a plurality of types of log priority tables as shown in FIG. 2 are stored in the log priority table collection storage unit 113 of the server 10 according to the number of in-vehicle devices 30 included in the log collection system 1.

The log priority table is composed of seven fields: priority 201, log type 202, mode 203, condition type 204, area 205, service 206, and valid time 207. The log priority table consists of one or more records.

In the field of priority 201, information indicating the priority for accumulating logs is stored as a numerical value, and the smaller the numerical value, the higher the priority. There may be multiple records with the same priority. An identifier indicating the log type is stored in the field of the log type 202. The field of mode 203 stores information indicating whether the record is permanently valid or temporarily valid, "normal" if it is permanent, and "normal" if it is temporary. "Temporary" is stored. When the mode 203 is "temporary", the valid period of the record is stored in the valid time 207. In other words, a record that is permanently valid indicates that the period stored in the valid time 207 is "indefinitely permanent."

The condition type 204 field stores the condition for which the record is valid. If the record is always valid without any special condition, "always" is stored, and if the record is valid under some condition, the condition is stored. For example, if the record is valid on the condition that the vehicle-mounted device 30 is in a specific area, the condition type 204 stores the "area". If the record is valid on the condition that the in-vehicle device 30 is executing a specific service, the condition type 204 stores "service". In the field of the area 205, the condition relating to the area when the "area" is stored in the condition type 204 is stored. In the field of service 206, the condition related to the service when "service" is stored in the condition type 204 is stored.

The field of the valid time 207 stores the valid period of the record in which the mode 203 is "temporary". For example, in the fourth record of FIG. 2, the in-vehicle device 30 is in the range of latitudes X11 to X12 and the longitude is in the range of Y11 to Y12, and further, from 10:00 to 10:30 on January 1, 2016. It is shown that it is effective only for 30 minutes.
The information stored in the log priority table collection storage unit 113 of the server 10 and the log priority table storage unit 162 of the in-vehicle device 30 may be information other than the table format as shown in FIG. That is, any form of information is stored in the log priority table collection storage unit 113 or the log priority table storage unit 162 as long as the information appropriately represents the priority of the logs stored in the log storage unit 163. May be good.

(Log table)
FIG. 3 is a diagram illustrating the configuration of the log table stored in the log table collection storage unit 112 of the server 10 and the log table storage unit 161 of the in-vehicle device 30. The log table is a table that specifies information to be collected as a log by the log collection unit 151. Note that FIG. 3 shows an example of a log table for one vehicle-mounted device 30 stored in the log table storage unit 161 of the vehicle-mounted device 30. Therefore, a plurality of types of log tables as shown in FIG. 3 are stored in the log table collection / storage unit 112 of the server 10 according to the number of in-vehicle devices 30 included in the log collection system 1. The log table is composed of one or a plurality of records, and is composed of two fields, a log type 301 and a log content 302. In the field of the log type 301, an identifier indicating the log type, that is, the same information as the log type 202 of the log priority table is stored. The specific content of the information to be acquired as a log is stored in the field of the log content 302.
The information stored in the log table collection storage unit 112 of the server 10 and the log table storage unit 161 of the in-vehicle device 30 may be information other than the table format as shown in FIG. That is, any form of information may be stored in the log table collection storage unit 112 or the log table storage unit 161 as long as the information appropriately represents the contents of the log collected by the log collection unit 151.

(Attack detection)
It is assumed that the in-vehicle device 30 connected to the network is subject to various attacks from the outside. It is also expected that they will be attacked closely related to a specific service.
As an attack not limited to a specific service, for example, a DoS (Denial of Service) attack can be considered. A DoS attack wastes communication resources and calculation resources by sending a large amount of data, and hinders the normal operation of the in-vehicle device 30. This attack is detected by recording the packet reception amount indicating the amount of received data of the in-vehicle device 30 and the CPU usage rate indicating the magnitude of the processing load. Therefore, if it is determined that a DoS attack may have occurred, the packet reception amount and the CPU usage rate are preferentially recorded in the temporary log table described later.

Attacks related to a particular service include, for example, unauthorized access to files used by the service. For example, the following case is assumed in which only a specific program is authorized to read / write file A for a specific file (hereinafter referred to as file A) used by a certain service. That is, it is assumed that a person who wants the information stored in the file A accesses the in-vehicle device 30 and illegally acquires the information in the file A. This attack is detected by recording the access to file A, for example, the name of the program that accessed it and the access time. Therefore, if it is determined that unauthorized access may have occurred, the date and time when the access to file A occurred, the program that accessed it, etc. are preferentially recorded in the temporary log table described later. ..

(Temporary log table)
FIG. 4 is a diagram illustrating the configuration of the temporary log table stored in the temporary log table storage unit 114 of the server 10. The extra log table consists of one or more records. The temporary log table is composed of fields of attack type 401, in-vehicle device 402 subject to temporary log, log type 403, collection condition 404, area 405, service 406, and validity period 407. In the following, the logs collected based on this temporary log table will be referred to as "temporary logs".

In the field of attack type 401, the type of attack determined by the log analysis unit 101 of the server 10 that an attack may occur is stored.
In the field of the vehicle-mounted device 402 for collecting the temporary log target, the conditions of the vehicle-mounted device 30 for which the log is temporarily collected are stored. In other words, it is a condition of the in-vehicle device 30 for which the log priority table is updated. This condition is, for example, a geographical condition or a condition relating to the configuration of the in-vehicle device 30. The geographical condition is, for example, that the log determined to have a possibility of attack exists within a predetermined distance from the point where the log is collected. The condition regarding the configuration of the in-vehicle device 30 is, for example, that the model matches the in-vehicle device 30 that has collected the logs determined to have a possibility of attack.

In the field of log type 403, the identifier of the log to be temporarily collected is stored. In the field of condition type 404, the condition for collecting the temporary log is stored. In the field of the area 405, the condition of the area when the condition type 404 indicates the area is stored. The field of service 406 stores the condition of the service being executed when the condition type 404 indicates a service. The validity period of the temporary log collection is stored in the field of the validity period 407. The collection condition 404 is not limited to the area and the service, and other conditions may be used. In that case, a new field for describing the contents of the collection conditions will be provided in the temporary log table.

When the log analysis unit 101 determines that an attack on any of the in-vehicle devices 30 may occur, the temporary log information creation unit 102 of the server 10 is stored in the temporary log table storage unit 114 in the temporary log table. Based on this, among the log priority tables stored in the log priority table collection storage unit 113, the log priority tables for a plurality of vehicle-mounted devices 30 including the vehicle-mounted device are rewritten. When the rewritten log priority table is transmitted from the server 10 to each in-vehicle device 30, the log priority table stored in the log priority table storage unit 162 in each in-vehicle device 30 is updated. As a result, the log priority table of the in-vehicle device 30 is changed to reflect the temporary log table, and the log corresponding to the changed log priority table is accumulated in the in-vehicle device 30. In the example of the log priority table shown in FIG. 2, three records in which the field of mode 203 is "temporary" are the records added based on the temporary log table. Of these records, the top two are records added at 10:00 on January 1, 2016 because it was determined that there was a possibility of a "DoS attack", and the bottom one was 2016. This record was added because it was determined that there was a possibility of "unauthorized access" at 9:00 on January 1, 2014.

(Log collection)
The log collection unit 151 of the in-vehicle device 30 collects logs in a predetermined time cycle, for example, every minute. The information collected by the log collecting unit 151 is described in the log table included in the program.
The logs collected by the log collection unit 151 are merged as much as possible and stored in the log storage unit 163. Log merging is to save a new log together without increasing the amount of data by rewriting the saved log. The information to be rewritten at the time of merging is mainly the information related to the time. For example, when the average packet reception amount in 5 minutes from 10:00 is 80 packets / minute, the log is recorded as "10: 00-10: 05 80P / min". If the average value of the packet reception amount for 5 minutes from 10:05 is also 80 packets / minute, it can be merged with the previous log and recorded as "10: 00-10: 10 80P / min". If the average value of the packet reception amount for 5 minutes from 10:05 is 100 packets / minute, it may be merged with the previous log and recorded as "10: 00-10: 10 90P / min". ..

(Flowchart of log collection)
FIG. 5 is a flowchart showing a process in which the in-vehicle device 30 acquires and accumulates logs. The execution subject of each step described below is the CPU 150 of the in-vehicle device 30.

In step S601, the log collection unit 151 is used to collect logs. As described above, the log information collected by the log collection unit 151 is hard-coded in the program. The log collected in this step is stored in the temporary storage area and is not yet stored in the log storage unit 163. In the following step S602, it is determined whether or not the acquired log can be merged with the log stored in the log storage unit 163. If it is determined that the merge is possible, the process proceeds to step S609, and if it is determined that the merge is impossible, the process proceeds to step S603. If it is determined that only some of the logs can be merged because a plurality of logs have been acquired, the processes after step S603 are performed only for the logs that cannot be merged.

In step S603, the free space of the log storage unit 163 is compared with the capacity of the acquired log, and it is determined whether or not the log can be stored in the log storage unit 163. If it is determined that the accumulation is possible, the process proceeds to step S613, and if it is determined that the accumulation is impossible, the process proceeds to step S604. The judgment in this step may be made by simply comparing the free space of the log storage unit 163 with the acquired log capacity, or the capacity obtained by subtracting the predetermined reserved capacity from the free space of the log storage unit 163 and the acquired log. The capacities may be compared.
In step S604, it is determined whether or not the acquired log can be transmitted to the server 10, that is, whether or not the in-vehicle device 30 and the server 10 can communicate with each other. If it is determined that the log transmission is possible, the process proceeds to step S610, and if it is determined that the log transmission is impossible, the process proceeds to step S605.

In step S605, the log priority table stored in the log priority table storage unit 162 is referred to, and the priority of the log determined to be untransmittable is determined. At this time, the record in which the field of the condition type 204 of the log priority table is other than "always" is treated as valid only when the described condition is satisfied, and is treated as invalid when the condition is not satisfied. If treated as invalid, it is considered to have the lowest priority, as if it were not listed in the log priority table.

In the following step S606, the priority of the accumulated logs is determined based on the free space of the log storage unit 163. The larger the free space, the lower the priority, and the smaller the free space, the higher the priority of the logs. In the following step S607, the priority determined in step S606 and the priority of the acquired log specified in step S605 are compared. If it is determined that the priority of the acquired log is higher, the process proceeds to step S612, and if it is determined that the priority of the acquired log is equal to or lower than the priority determined in step S606, the process proceeds to step S608.

In step S608, the acquired log is discarded and the flowchart of FIG. 5 ends.
In step S609, the acquired log is merged with the log stored in the log storage unit 163, and the flowchart of FIG. 5 ends.
In step S610, which is executed when a positive determination is made in step S604, the log stored in the log storage unit 163 is transmitted to the server 10. In the following step S611, it is determined whether or not the log transmission is successful, and if it is determined that the log transmission is successful, the process proceeds to step S613, and if it is determined that the log transmission is unsuccessful, the process proceeds to step S605.

In step S612, which is executed when a positive determination is made in step S607, the log having the lowest priority among the logs stored in the log storage unit 163 is discarded. In step S613, the acquired log is stored in the log storage unit 163 of the memory 160, and the flowchart of FIG. 5 ends.

(Operation of log analysis unit)
The log analysis unit 101 of the server 10 analyzes the log acquired from the in-vehicle device 30 to detect the possibility of an attack on the in-vehicle device 30 or detect an attack on the in-vehicle device 30. Attacks on the in-vehicle device 30 are diverse, and new methods are being devised every day. The detection method described here is an example, and when a new attack method becomes clear, an analysis method for detecting the attack is implemented in the log analysis unit 101. Detection of DoS attacks will be described as an example of the operation of the log analysis unit 101.

The log analysis unit 101 detects the possibility that a DoS attack has occurred using the log of a certain vehicle-mounted device 30. After detecting the possibility that a DoS attack has occurred, the log analysis unit 101 determines whether or not a DoS attack has actually occurred by using the detailed logs of the plurality of in-vehicle devices 30. In other words, the log analysis unit 101 detects the possibility of an attack using a small number of logs, and obtains certainty that an attack has occurred using a large number of detailed logs.
The log analysis unit 101 determines the possibility of a DoS attack by comparing the packet reception amount per unit time of the in-vehicle device 30 in a certain area with the packet reception amount in another area. The log analysis unit 101 determines that there is no possibility of an attack occurring if the difference in packet reception amount is below a certain threshold value, and if the difference in packet reception amount exceeds a certain threshold value, there is a possibility that a DoS attack may occur. Judge that there is.

The log analysis unit 101 determines that a DoS attack is actually occurring by using the CPU usage rate in addition to the packet reception amount. A DoS attack occurs when the difference between the packet reception amount per unit time of the in-vehicle device 30 in a certain area and the packet reception amount in another area exceeds the threshold value and the CPU usage rate exceeds a predetermined threshold value. Judge that there is. The comparison of the packet reception amount may target the average packet reception amount in the past at the same time in the same area.

(Processing after receiving the log)
A series of processes after the server 10 collects logs from the in-vehicle device 30 will be described with reference to FIG. The execution subject of each step described below is the CPU 100 of the server 10.
In step S701, the received log is analyzed by using the log analysis unit 101. The log analysis unit 101 determines the possibility of an attack and the type of attack that may have occurred. In the following step S702, the analysis result in step S701 is referred to, and if it is determined that an attack may have occurred, the process proceeds to step S703, and if it is determined that an attack has not occurred, the flowchart of FIG. 6 is displayed. finish.

In step S703, the temporary log information creation unit 102 determines the in-vehicle device 30 for which the temporary log is to be collected. First, the CPU 100 searches the temporary log table for a record that matches the attack type specified from the log analysis result in step S701. Next, the CPU 100 determines the temporary log collection target by referring to the field of the temporary log collection target 402 in the corresponding record. For example, as shown in FIG. 4, the in-vehicle device 30 existing within a radius of 2 km from the point where the log determined to have a possibility of attack is collected, and the log determined to have a possibility of attack are collected. The same model as the vehicle-mounted device 30 and two similar models of the vehicle-mounted device 30 are determined as collection targets. Next, the process proceeds to step S704. Steps S704 to S706 described below are executed for each in-vehicle device 30 determined in this step.

In step S704, the temporary log information creation unit 102 updates the log priority table stored in the log priority table collection storage unit 113. The log priority table to be updated in this step is a log priority table corresponding to the in-vehicle device 30 to be collected from the temporary log determined in step S703. The update of the log priority table is a new log priority table with log type 403, condition type 404, area 405, service 406, and validity period 407 described in the record identified in step S703 of the temporary log table. It is something to add to the record. However, the area 405 is rewritten based on the position of the in-vehicle device 30 when the log in which the possibility of an attack is detected is collected. Further, the validity period 407 is rewritten based on the time when the log in which the possibility of attack is detected is acquired. At this time, the priority of the record to be added is set to "1" indicating the highest priority. Next, the process proceeds to step S705.

In step S705, the log priority change instruction unit 103 creates a log priority table change request message based on the log priority table updated in step S704. Then, the log priority change instruction unit 103 transmits the created log priority table change request message. Next, the process proceeds to step S706.
In step S706, the log change instruction unit 104 creates an update program that changes the operation of the log collection unit 151 of the in-vehicle device 30 based on the log priority table updated in step S704. This update program causes the log collection unit 151 to collect all the log types listed in the updated log priority table. Then, the log change instruction unit 104 transmits the created update program. Next, the process proceeds to step S707.

In step S707, it is determined whether or not the temporary log has been received from the in-vehicle device 30, and if it is determined that the temporary log has been received, the process proceeds to step S708, and if it is determined that the temporary log has not been received, the process proceeds to step S713. In step S713, it is determined whether or not a predetermined time, for example, 30 minutes has elapsed from the execution of step S706. If it is determined that the predetermined time has not elapsed, the process returns to step S707, and if it is determined that the predetermined time has elapsed, the process proceeds to step S710. This is because if the temporary log is not transmitted from any of the relevant in-vehicle devices for a certain period of time, it means that the log cannot be collected or the log cannot be transmitted, and it can be inferred that some kind of attack has occurred.

In step S708, the received temporary log is analyzed by using the log analysis unit 101. In the following step S709, if it is determined from the analysis result of step S708 that an attack has occurred, the process proceeds to step S710, and if it is determined that an attack has not occurred, the flowchart of FIG. 6 ends.
In step S710, the output unit 140 is used to notify the operator of the server 10 of the occurrence of an attack. In the following step S711, it is determined whether or not an emergency stop of the service is necessary. If it is determined that an emergency stop of the service is necessary, the process proceeds to step S712, and if it is determined that it is unnecessary, the flowchart of FIG. 6 ends. In step S712, the service instruction unit 105 is used to instruct the in-vehicle device 30 to stop the service in an emergency, and the flowchart of FIG. 6 ends.

(Log priority table update process)
FIG. 7 is a flowchart showing an update process of the log priority table by the in-vehicle device 30. The execution subject of each step described below is the log priority table management unit 152.
In step S800, it is determined whether or not the log priority table update request message has been received from the server 10. If it is determined that the signal has been received, the process proceeds to step S803, and if it is determined that the signal has not been received, the process proceeds to step S801.

In step S803, the log priority table stored in the log priority table storage unit 162 is updated according to the received log priority table update request message. As described above, since the log priority table update request message includes the entire contents of the log priority table after rewriting, updating in this step means replacing the log priority table. Next, the process proceeds to step S809.
In step S801, which is executed when it is determined that the message has not been received in step S800, it is determined whether or not a certain time, for example, 5 minutes has elapsed since the previous execution of step S805. If it is determined that the elapse has passed, the process proceeds to step S805, and if it is determined that the elapse has not occurred, the process returns to step S800.

In step S805, it is determined whether or not there is a record whose mode 203 field is "temporary" in the log priority table stored in the log priority table storage unit 162. If it is determined that the corresponding record exists, the process proceeds to step S806, and if it is determined that the corresponding record does not exist, the process returns to step S801.

In step S806, with respect to the record in which the field of mode 203 of the log priority table is "temporary", the record whose valid time has passed is deleted. For example, if the current time is 10:45 on January 1, 2016 and the log priority table is as shown in FIG. 2, the top of the three records in which the mode 203 field is "temporary" Two records are deleted. This is because these records have passed the valid time, and the remaining one record has not passed the valid time. Next, the process proceeds to step S809.
In step S809, the CPU 150 uses the output unit 190 to notify the user of the status, that is, that the log priority table has been rewritten, and returns to step S801.

(Update process of the program that collects logs)
FIG. 8 is a flowchart showing a program update process for updating a program in which the in-vehicle device 30 functions as a log collecting unit. The execution subject of each step described below is the program update unit 153 of the in-vehicle device 30. When the in-vehicle device 30 receives the update program from the server 30, the in-vehicle device 30 executes the program update process. This update program was transmitted from the server in step S706 of FIG.

In step S901, it is determined whether or not the program can be updated. The situation in which the program can be updated is, for example, a situation in which the vehicle equipped with the in-vehicle device 30 is stopped. If it is determined that the situation is updatable, the process proceeds to step S902, and if it is determined that the situation is not updatable, the process stays at step S901.
In step S902, the program is updated using the update program. The program update may be a replacement of the entire program, or a partial change of the program, so-called patch application. In the following step S903, the program is started to operate the log collection unit 151 to start log collection. This completes the process according to the flowchart of FIG.

According to the above-described embodiment, the following effects can be obtained.
(1) An in-vehicle device 30 connected to a server 10 by a network 20 and mounted on a vehicle, a log collecting unit 151 for collecting logs, a log storage unit 163 for accumulating at least a part of logs, and a log. The log priority information storage unit 162 in which the log priority information indicating the priority of the log stored in the storage unit 163 is stored, and the storage log determination for determining the log to be stored in the log storage unit 163 based on the log priority information. Units (steps S605 to S607 in FIG. 5), a communication unit 170 that transmits the log accumulated in the log storage unit 163 to the server 10, and a log priority information storage unit 162 based on an update command from the server 10. It is provided with a log priority table management unit 152 for updating the log priority information.
Since the in-vehicle device 30 is configured in this way, the priority of the log can be changed based on the command from the server 10. Therefore, it is possible to collect appropriate logs according to the situation of the in-vehicle device. Further, the server 10 can analyze this log to determine that an attack is actually occurring.

(2) The in-vehicle device 30 includes a log information storage unit 161 in which log information indicating the contents of the log collected by the log collection unit 151 is stored, and a program update unit 153 that updates the log information stored in the log information storage unit. And.
Therefore, when the server 10 detects the possibility of an attack, it is possible to collect information that was not previously collected.

(3) The log collection unit 151 is a log acquisition program in which log information is incorporated, and the program update unit 153 updates the log information by rewriting the log acquisition program.
Therefore, the log collecting unit 151 does not need to read the information indicating the information to be collected as a log from the outside, so that the log collecting unit 151 can operate at high speed.

(4) The in-vehicle device 30 includes a service control unit 154 that controls services provided to the occupants of the vehicle 1. The service control unit 154 stops the service based on the command from the server 10. Therefore, the service affected by the attack can be stopped based on the command from the server 10.

(5) Log priority information includes conditions relating to at least one of valid time and valid area. The storage log determination unit (steps S605 to S607 in FIG. 5) determines the log priority information when at least one of the time when the log is collected and the position of the in-vehicle device matches the conditions in the log priority information. It is considered valid and the log to be accumulated in the log storage unit 163 is determined.
Therefore, the log collecting unit 151 can determine the priority of the log according to the state of the in-vehicle device 30. This is when it is determined whether or not the position of the in-vehicle device 30 satisfies the condition stored in the area 205, and the log is collected before the record whose valid time has passed is deleted by the log priority table management unit 152. This is effective when unit 151 refers to the log priority table.

(6) The log collection system 1 is composed of an in-vehicle device 30 and a server 10 connected to the in-vehicle device 30 by a network 20. The server 10 analyzes the log received from the in-vehicle device 30 and detects the possibility of an attack, and when the log analysis unit 101 detects the possibility of an attack, the server 10 transmits an update command to the in-vehicle device 30. , A log priority change instruction unit 103 for updating the log priority information stored in the log priority information storage unit 162.
Therefore, when the server 10 detects the possibility of an attack from the log transmitted by the vehicle-mounted device 30, the log collecting system 1 can change the priority of the log stored in the vehicle-mounted device 30.

(7) The in-vehicle device 30 includes a log information storage unit 161 in which log information indicating the contents of the log collected by the log collection unit 151 is stored. The server 10 includes a log change instruction unit 104 that updates the log information stored in the log information storage unit 161.
Therefore, the server 10 can change the contents of the log collected by the in-vehicle device 30. As a result, when the server 10 detects the possibility of an attack, the in-vehicle device 30 can collect detailed logs.

(8) In addition to the in-vehicle device 30 that transmitted the log in which the possibility of attack was detected, the log priority change instruction unit 103 detected that it was the same model as the in-vehicle device and that the possibility of attack was detected. The update command is also output to the other in-vehicle device 30 that satisfies at least one of the conditions that the log exists within a predetermined distance from the acquired position.
Therefore, the server 10 can also collect logs used for determining that an attack has occurred from a plurality of other in-vehicle devices 30 that are likely to be attacked. Since it is difficult to determine that an attack has occurred based only on the logs of one specific in-vehicle device 30, or there is a high possibility of over-detection, the server 10 comprehensively uses the logs of a plurality of in-vehicle devices 30. Can be judged.

(9) The in-vehicle device 30 includes a service control unit 154 that controls services provided to the occupants of the vehicle. The server 10 includes a service instruction unit 110 that outputs a service stop command to the in-vehicle device 30 when the log analysis unit 101 detects an attack.
Therefore, the in-vehicle device 30 can stop the service affected by the attack based on the command from the server 10.

(10) Log priority information includes conditions relating to at least one of valid time and valid area. The log priority change instruction unit 103 sets the updated log priority information based on at least one of the time and position when the in-vehicle device 30 collects the log in which the possibility of attack is detected by the log analysis unit 101. Determine at least one of the effective time and effective area.
Therefore, the log collection system 1 can collect temporary logs based on at least one of the time and position at which the log in which the possibility of an attack was detected was collected, and can determine that an attack is actually occurring. ..

The above-described embodiment may be modified as follows.
(Modification example 1)
The server 10 may create a log priority table change request message that partially updates the log priority table. In this case, the log priority table change request message includes information indicating the existing record to be deleted and information indicating the content of the record to be added. According to this modification 1, the data capacity of the log priority table change request message can be reduced.

(Modification 2)
The log table and log priority table are rewritten so that the operator of the server 10 can obtain knowledge about a new attack method and detect the possibility of the attack, and use the log priority change instruction unit 103 and the log change instruction unit 104. These may be transmitted to the in-vehicle device 30. According to this modification 2, it is possible to deal with the attack method that became clear after the in-vehicle device 30 was shipped. However, only one of the log table and the log priority table may be rewritten.

(Modification example 3)
The server 10 may transmit a program for executing a new service to the in-vehicle device 30 and cause the in-vehicle device 30 to execute the service. In that case, information about the service is added to the log table, the log priority table, and the temporary log table of the in-vehicle device 30.

For example, when a remote maintenance service is added in which a message introducing parts replacement time and inspection is delivered from the server 10 to the user based on vehicle information such as the mileage collected by the in-vehicle device 30, the following problems are considered. Be done. That is, a service provider other than the service provider who manages the server 10 may impersonate the server 10 to send a message to the in-vehicle device 30, and an advertisement or false information not desired by the user may be displayed on the in-vehicle device 30. Therefore, when adding this service, the log table is changed to collect the message reception time and the message source. At this time, "always" is input in the fields of these condition types 204.
If the function of the service provided in advance is expanded and it becomes necessary to collect new logs, it can be dealt with by modifying the table, log priority table, and temporary log table in the same manner.

(Modification example 4)
In the embodiment, the log analysis unit 101 analyzes the temporary log, and when it detects that an attack is actually occurring, the in-vehicle device 30 stops the service (FIG. 6, step S712). However, when the log analysis unit 101 determines that an attack may occur, the in-vehicle device 30 may stop the service. According to this modification 4, the adverse effect of the attack on the service can be further reduced.

(Modification 5)
In the embodiment, when it is determined that an attack has occurred after analyzing the temporary log, the operator is notified, but the following may be changed. That is, even if it is determined that an attack may occur at the beginning, the operator is notified, the operator checks the changed log table and log priority table, and then sends a log priority table change request message. May be good.

(Modification 6)
In the embodiment, when the log is collected from the in-vehicle device 30, the log analysis is started, but the log may be analyzed in the following cases. For example, when a certain amount of time has passed, a certain amount of logs have been accumulated, a certain number or more of in-vehicle devices 30 have been collected, or an analysis start command has been received from an operator using the input unit 130. The log may be analyzed in some cases.

(Modification 7)
The in-vehicle device 30 may preferentially determine whether or not the log can be transmitted when the log is collected. That is, in FIG. 6, the process may proceed to step S604 after the execution of step S601, and if a negative determination is made in step S604, the process may proceed to step S602. In this case, if a negative determination is made in step S603, the process proceeds to step S605. According to this modification 7, it is not necessary to merge the logs when communication with the server 10 is possible.

(Modification 8)
The log collecting unit 151 of the in-vehicle device 30 may read information indicating information to be collected as a log from the outside. That is, the information indicating the information to be collected as a log does not have to be hard-coded in the program. In this case, the log table storage unit 161 is stored in the memory 160, and the log collection unit 151 refers to the log table stored in the log table storage unit 161 to collect logs.
According to this modification 8, the information collected by the log collecting unit 151 as a log can be easily changed.

(Modification 9)
Even if the server 10 includes the information for identifying the target for changing the log priority table in the log priority table change request message and sends the log priority table change request message to other than the target for changing the log priority table. good. In this case, the vehicle-mounted device 30 that has received the log priority table change request message determines whether or not the vehicle-mounted device 30 is the target of the log priority table change request message.
According to this modification 9, since the log priority table change request message can be transmitted without specifying the transmission target, it is easy to determine the transmission destination of the server 10.

(Modification example 10)
In the embodiment, it is assumed that a plurality of vehicle-mounted devices 30 are connected to the server 10, but only one vehicle-mounted device 30 may be connected to the server 10.

(Modification 11)
In the embodiment, when the log priority table is updated (step S702 in FIG. 6: YES), an update program for changing the operation of the log collecting unit 151 of the in-vehicle device 30 is created and transmitted (step S702 in FIG. 6: YES). Step S706 in FIG. 6). However, if all the log types described in the updated log priority table are collected by the existing log collection unit 151, the creation and transmission of the update program may be omitted.

The above-described embodiments and modifications may be combined.
Although various embodiments and modifications have been described above, the present invention is not limited to these contents. Other aspects conceivable within the scope of the technical idea of the present invention are also included within the scope of the present invention.

1 ... Log collection system 10 ... Server 20 ... Network 30 ... Server 30 ... In-vehicle device 101 ... Log analysis unit 102 ... Temporary log information creation unit 103 ... Log priority change instruction unit 104 ... Log change instruction unit 105 ... Service instruction unit 110 … Service stop command unit 110… Memory 111… Collection log storage unit 112… Log table collection storage unit 113… Log priority table collection storage unit 114… Temporary log table storage unit 120… Server communication unit 151… Log collection unit 152… Log Priority table management unit 153 ... Program update unit 154 ... Service control unit 160 ... Memory 161 ... Log table storage unit 162 ... Log priority table storage unit 163 ... Log storage unit 164 ... In-vehicle device information storage unit 165 ... Update program storage unit 170… In-vehicle communication unit

Claims (6)

It is a log analysis method in a server device that is connected to a plurality of in-vehicle devices mounted on a vehicle by a network and receives and analyzes logs accumulated in the in-vehicle devices.
The first step of analyzing the logs received from the plurality of in-vehicle devices and determining the possibility that an attack has occurred in each in-vehicle device, and
When it is determined that an attack may have occurred in the first step, the second step of determining the in-vehicle device for which the temporary log is to be collected from the plurality of in-vehicle devices, and
A log priority table change request message is transmitted to the in-vehicle device for which the temporary log is collected in the second step, requesting the in-vehicle device to change the log priority table indicating the priority of the logs accumulated in the in-vehicle device. The third step to do and
In the third step, when a temporary log is received from the in-vehicle device that sent the log priority table change request message, the fourth step of analyzing the temporary log to determine whether or not an attack has occurred, and the fourth step.
An attack occurs when it is determined that an attack has occurred in the fourth step, and when the temporary log is not received within a predetermined time from the in-vehicle device that sent the log priority table change request message in the third step. The fifth step of notifying and
A log analysis method characterized by having. In the log analysis method according to claim 1,
The notification of the occurrence of an attack in the fifth step is a notification to the operator of the server device, and when the operator determines that an emergency stop of the service is necessary, the operator instructs the server device to stop the service in an emergency. A log analysis method characterized by being performed. In the log analysis method according to claim 1,
The in-vehicle device for which the temporary log is collected in the second step is a vehicle device that exists within a predetermined distance from the vehicle device that is determined to have an attack in the first step. Log analysis method. In the log analysis method according to claim 1,
The in-vehicle device for which the temporary log is collected in the second step is the same model as or similar to the vehicle device determined to have an attack in the first step. Log analysis method. In the log analysis method according to claim 1,
A log analysis method, characterized in that the priority of a record requested to be added by the log priority table change request message transmitted in the third step is given the highest priority over other records. A log priority table management method for an in-vehicle device connected to a server device that performs the log analysis method according to claim 1 by a network.
The sixth step of receiving the log priority table change request message from the server device, and
The seventh step of updating the log priority table stored in the in-vehicle device according to the received log priority table change request message, and
In the log priority table, for the record indicated to be temporary, the eighth step of deleting the record whose valid time has expired, and
A log priority table management method characterized by having.

Images